Run in FIPS mode

To run the client systems in FIPS mode, refer to the FileVault or BitLocker FIPS Security Policy for Mac and Windows client systems respectively.

BitLocker systems

For FIPS mode to be reported as active on a BitLocker-managed system, the client must be encrypted and managed by MNE with FIPS GPO set. If the client is already encrypted when MNE was installed (even if it was encrypted with FIPS mode), then MNE will report that the client system does not meet the FIPS requirements. This is because BitLocker FIPS Security policy states that:

  • BitLocker can only be initialized by a Crypto Officer.
  • BitLocker will only allow a Crypto Officer to perform key management operations.
In this case, the client has to be disabled, decrypted, and re-enabled using MNE under the control of the Crypto Officer for the system to be reported as FIPS compliant.

This Security Policy places restrictions on the use of BitLocker in FIPS mode. In particular, when running in FIPS mode, make sure to note that:

  • only Cryptographic Officers are permitted to perform administrative BitLocker functions (such as recovery).
  • on windows 7 systems, only 256-bit binary recovery keys are permitted; 48-digit numeric recovery keys are not permitted.

McAfee recommends that only Cryptographic Officers are given permission to perform MNE recoveries in McAfee ePO using the relevant MNE permission sets. When the Cryptographic Officer performs the recovery, a .bek file that contains the binary key must be requested from the MNE recovery page. This file must be securely transported to the required client system on a USB stick, before the Cryptographic Officer performs the recovery, as per BitLocker FIPS Security Policy. The self-service portal will not serve up the 256-bit binary recovery keys used in FIPS mode.